HIPAA Information 


Who does HIPAA apply to? 


HIPAA applies to all Covered Entities (entities that 
collect, access, use and/or disclose Protected Health 
Data (PHI) and are subject to HIPAA regulations). 


What is a Business Associate? 


HIPAA allows Covered Entities to contract Business 
Associates to perform functions for the Covered 
Entity. It requires the Covered Entity to enter into a 
Business Associate Agreement in which Business 
Associate assures that it will safeguard the PHI 
disclosed to it by the Covered Entity. 


Sync.com is an ideal HIPAA Business Associate for 
Covered Entities. All data stored on our servers is 
encrypted. The unique zero-knowledge nature of 
our storage system makes us unable to decrypt 
any PHI stored on our servers. 


There is no Unsecured Protected Health Information 


stored on our servers or available to Sync.com, its 
employees, or its subcontractors. 
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What are Sync.com’s 
responsibilities? 


* Providing the Covered Entity with a download of 
the Sync client software 

* Data encryption during transit and at rest on 
Sync.com’'s servers 

* Implementation of Policies and Procedures to 
ensure that all Sync.com employees and 
subcontractors appropriately handle the Covered 
Entity's data 

e Restricted physical access to servers that store PHI 
Implementation and enforcement of controls to 
safeguard the Covered Entity’s data on Sync.com’s 
servers 

* Training and supervision of datacenter personnel 


What are the responsibilities of the 
Covered Entity? 


* Enrolment in an eligible Sync.com Pro plan 

* Implementation of a signed HIPAA Business 
Associate agreement with Sync.com prior to 
storing PHI on Sync.com’s servers 
(contact sales@sync.com for BAA) 

* Configuration of Sync client software on the 
Covered Entity’s devices in a HIPAA-compliant 
manner 

* Safeguarding PHI on all devices (computers, 
laptops, mobile devices, etc.) 

* Restricting access to devices containing PHI, 
including passwords, auto-lock, etc. 

* Safeguarding login information to the Sync client 
software on all devices (computers, laptops, 
mobile devices, etc.) 

* Implementation and enforcement of policies and 
procedures regarding handling of PHI 

* Implementation of a security strategy regarding 
PHI stored on the Covered Entity's devices 


Questions? sales@sync.com 
500 Sheppard Ave. East, Suite 206 
Toronto, ON M2N 6H7 
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HIPAA BUSINESS ASSOCIATE AGREEMENT 


Date: 

Business Covered 
Associate: Sync.com Inc. Entity: 
Address: Sync.com Inc. Address: 


155 Gordon Baker Road, Suite 102 
Toronto, ON M2H 3N5 


This Business Associate Agreement (the “Agreement”) is entered into as of the date set forth above, by and 
between the Covered Entity and the Business Associate. 


A. Definitions: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those 
terms in the Privacy and Security Rules 


1. “Agreement” shall mean this Business Associate Agreement. 


2. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. section 164.402 and shall be limited 
to those events that compromise the security or privacy of PHI as determined by Business Associate in its sole 
discretion in accordance with HIPAA. 


3. “Business Associate” shall mean the business associate set forth above. 
4. “Covered Entity” shall mean the covered entity set forth above. 


5. “HIPAA” shall mean the Administrative Simplification provisions of the Health Insurance Portability and 
Accountability Act of 1996 and the regulations promulgated thereunder, including the Standards for Privacy of 
Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Health 
Information at 45 CFR part 160 and part 164, as amended by the HITECH Act and the Final Regulations. 


6. “HITECH Act” shall mean Title XII, Subtitle D of the Health Information Technology for Economic and Clinical 
Health Act of 2009, and the regulations promulgated thereunder. 


7. “Final Regulations” shall mean the final regulations issued by the Department of Health and Human Services 
under HIPAA as part of the Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification 
Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic 
Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5565 (Jan. 
25, 2013). 


8. “Privacy and Security Rules” shall mean HIPAA, as amended and supplemented by the HITECH Act and the 
Final Regulations. 
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9. “Protected Health Information” or “PHI” shall have the same meaning as the term “protected health 
information” in 45 CFR 160.103, limited to the information created, received, maintained or transmitted by 
Business Associate or its Subcontractor from or on behalf of Covered Entity. 


10. “Secretary” shall mean the Secretary of the Department of Health and Human Services. 


11. “Security Incident” shall have the same meaning as the term “security incident” in the Privacy and Security 
Rules, but shall not include trivial incidents that occur on a daily basis such as scans, “pings,” or routine 
unsuccessful attempts to penetrate computer networks or servers maintained or utilized by Business Associate. 


12. “System” shall mean the Business Associate’s computer system and services to be provided to the Covered 
Entity. 


13. “Unsecured Protected Health Information” shall mean protected health information that has not been 
rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or 
methodology specified by the Secretary in guidance. 


B. Obligations and Activities of Business Associate. 
Business Associate agrees: 


1. Privacy and Security Rules. To comply with the Privacy and Security Rules that are applicable to a “business 
associate” (as such term is defined in the Privacy and Security Rules). 


2. Protected Health Information. To not use or disclose Protected Health Information other than as permitted or 
required by this Agreement or as Required By Law, and to the extent Business Associate carries out the Covered 
Entity's obligation(s) under the Privacy and Security Rules, to comply with all Privacy and Security Rules that 
would apply to the Covered Entity in the performance of such obligation(s) as required under 45 CFR 164.504(e) 
(2)(ii)(H). 


3. Safeguards. To implement and use appropriate safeguards to prevent use or disclosure of PHI other than as 
provided for by this Agreement. Safeguards shall include the establishment and maintenance of appropriate 
administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, 
integrity and availability of PHI (whether electronic or otherwise). Business Associate will follow generally- 
accepted system security principles and comply with the requirements of the Privacy and Security Rules, 
including without limitation 45 CFR 164.308, 164.310, 164.312 and 164.316. 


4. Mitigation. To mitigate, to the extent practicable, any harmful effect that is known to or reasonably should be 
known to Business Associate of a use or disclosure of PHI by Business Associate or its Subcontractors or any of 
their employees or agents in violation of the requirements of this Agreement or the Privacy and Security Rules. 


5. Breach Notification. To promptly provide written notice to the Covered Entity of a Breach of Unsecured 
Protected Health Information by Business Associate or its Subcontractors or any of their employees or agents 
of which it becomes aware. 


6. Security Incident Reporting. To promptly provide written notice to the Covered Entity of a Security Incident of 
which it becomes aware. 
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7. Agents. To ensure that any employee or agent of Business Associate, including a Subcontractor, that creates, 
receives, maintains or transmits PHI on its behalf agrees in writing to the same restrictions and conditions that 
apply through this Agreement and the Privacy and Security Rules to Business Associate with respect to such 
PHI. 


8. Access. To provide to Covered Entity or to the Individual, as requested by Covered Entity, prompt access to 
PHI at its or his/her request in a Designated Record Set, if so kept by the Covered Entity, as necessary to meet 
the requirements under 45 CFR 164.524 and the Privacy and Security Rules. Covered Entity shall be solely 
responsible for maintaining any Designated Record Sets in appropriate files or folders so that any access to a 
Designated record Set provided by Covered Entity to any Individual shall comply with the requirements of all 
applicable sections of the Privacy and Security Rules and the Final Regulations. To the extent that such PHI is 
maintained in an Electronic Health Record, Business Associate agrees to produce a copy of such PHI in 
electronic format upon Covered Entity’s written request in accordance with the Privacy and Security Rules. Due 
to the fact that all PHI is encrypted by the Covered Entity’s client computer, neither the Business Associate nor 
any person or subcontractor working for or on behalf of the Business Associate has access to any PHI stored on 
the System by the Covered Entity. 


9. Audit. To promptly make internal practices, books, and records, including PHI and policies and procedures 
relating to the use and disclosure of PHI, available to the Secretary, in a time and manner mutually agreed to by 
Business Associate and the Secretary, for purposes of the Secretary determining Covered Entity's or Business 
Associate's compliance with the Privacy and Security Rules. 


10. Accounting. To document disclosures of PHI, and information related to such disclosures, as would be 
required for Covered Entity or Business Associate to timely respond to a request by an Individual for an 
accounting of disclosures of PHI in accordance with 45 CFR 164.528 or 42 U.S.C. section 17935(b). Business 
Associate agrees to provide to Covered Entity and/or an Individual (as requested) within thirty (30) days of 
receipt of a written request from the Covered Entity, such information as necessary to satisfy Covered Entity’s 
obligations under 45 CFR 164.528 or 42 U.S.C. section 17935(b). Business Associate further agrees that its 
accounting shall include the following: 


(a) Except for repetitive disclosures of PHI as specified below, (i) the disclosure date; (ii) the name and (if known) 
address of the entity to which Business Associate made the disclosure; (iii) a brief description of PHI disclosed; 
and (iv) a brief statement of the purpose of the disclosure; or 


(b) For repetitive disclosures of PHI that Business Associate makes for a single purpose to the same person or 
entity (including Covered Entity), (i) for the first of the repetitive accountable disclosures, the disclosure 
information specified in the preceding subsection; (ii) the frequency, periodicity, or number of the repetitive 
accountable disclosures; and (iii) the date of the last of the repetitive accountable disclosures. 


11. Restrict Use/Disclosure. To restrict the use or disclosure of PHI as required by 42 U.S.C. section 17935(a) and 
45 CFR 164.522, as requested by Covered Entity or an Individual. Covered Entity will notify Business Associate in 
writing of the restriction that Business Associate must follow and will promptly notify Business Associate in 
writing of the termination of any such restriction and instruct Business Associate whether any PHI will remain 
restricted. 


12. No Sale of PHI. To not directly or indirectly receive remuneration in exchange for PHI or otherwise engage in 
a Sale of PHI. Due to the nature of the System, Business Associate is unable to access any PHI that Covered 
Entity stores on the System. 
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13. Marketing Limits. To not make or cause to be made any communication about a product or service or 
otherwise engage in Marketing that is prohibited by 42 U.S.C. 8 17936 or does not meet the requirements of the 
Privacy and Security Rules, including the requirement to obtain authorization to comply with 45 CFR 164.508. 


14. Genetic Information Restrictions. To not use or disclose Genetic Information for underwriting purposes in 
violation of the Privacy and Security Rules. Due to the nature of the System, Business Associate is unable to 
access any PHI that Covered Entity stores on the System. 


C. Permitted Uses and Disclosures by Business Associate; General Use and Disclosure Provisions 


Except as otherwise limited in this Agreement, Business Associate may only use or disclose PHI to perform 
functions, activities, or services for, or on behalf of, Covered Entity as specified in its service agreement(s) with 
Covered Entity, provided that such use or disclosure would not violate the Privacy and Security Rules if done by 
Covered Entity or Business Associate. Business Associate is authorized to de- identify PHI and use or disclose 
de-identified PHI in accordance with 45 CFR 164.514(a)-(c). Any use or disclosure of PHI by Business Associate 
shall be limited to a Limited Data Set or the Minimum Necessary to accomplish the intended purpose of such 
use or disclosure, or otherwise comply with guidance on “minimum necessary” as promulgated by the Secretary 
in accordance with section 13405(b) of the HITECH Act, as codified at 42 U.S.C. section 17935(b). Due to the 
nature of the System, Business Associate is unable to access any PHI that Covered Entity stores on the System. 


D. Specific Use and Disclosure Provisions 


Except as otherwise limited in this Agreement, Business Associate is entitled under HIPAA and the HITECH Act to 
use or disclose PHI as follows: 


(a) Use PHI if necessary for the proper management and administration of Business Associate or to carry out 
the legal responsibilities of Business Associate as permitted by 45 CFR 164.504(e)(4)(i). 


(b) Disclose PHI if necessary for the proper management and administration of Business Associate or to carry 
out the legal responsibilities of Business Associate as permitted by and in accordance with the requirements of 
45 CFR 164.504(e)(4)(ii) if the disclosures are Required By Law or Business Associate enters, with prior written 
approval by Covered Entity, into a written agreement with the person to whom the information is disclosed that 
it will remain confidential and be used or further disclosed only as Required By Law and permitted by this 
Agreement or for the purpose for which it was disclosed to the person, the person agrees to immediately notify 
Business Associate of any instances of which it becomes aware in which the confidentiality of the information 
has been breached, and the person agrees to cooperate with Business Associate in providing the required 
notifications under the HITECH Act, as amended by the Final Regulations. 


(c) Use PHI to provide Data Aggregation services to Covered Entity upon Covered Entity’s request as permitted 
by 45 CFR 164.504(e)(2)(i)(B). 


(d) Use PHI to report violations of law to appropriate Federal and state authorities, consistent with 45 CFR 
164.502(j)(1). 


However, due to the nature of the System, Business Associate is unable to access any PHI that Covered Entity 
stores on the System. 
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E. Obligations and Activities of Covered Entity 


1. Covered Entity shall notify affected Individuals, the Secretary, or the media, as applicable, upon a Breach of 
Unsecured Protected Health Information in accordance with the Privacy and Security Rules. 


2. Covered Entity will notify Business Associate of the following, to the extent it may affect Business Associate's 
use or disclosure of PHI: 


(a) any limitation(s) in Covered Entity’s notice of privacy practices in accordance with 45 CFR 164.520; 
(b) any changes in, or revocation of, permission by an Individual to use or disclose PHI; and 


(c) any restriction to the use or disclosure of PHI that Covered Entity has agreed to in accordance with 45 CFR 
164.522 or 42 U.S.C. section 17935(a). 


3. Except as provided above regarding data aggregation and management and administrative activities of 
Business Associate, Covered Entity will take reasonable steps to make sure that it does not request Business 
Associate to use or disclose PHI in any manner that would not be permissible under the Privacy and Security 
Rules if done by Covered Entity. 


Due to the nature of the System, Business Associate is unable to access any PHI that Covered Entity stores on 
the System. 


4. Covered Entity is responsible for: 


(a) safeguarding Unsecured PHI on its devices and for implementing controls to prevent unauthorized access to 
PHI on their devices. 


(b) configuring the Sync.com client in a HIPAA-compliant manner. Covered Entity is responsible for abiding by 
the terms and conditions of this agreement and all Sync.com HIPAA Guidelines. 


(c) safeguarding the login information of the Sync.com client on its devices. 


(d) implementing, training and enforcing policies and procedures regarding the use of Sync.com for PHI in a 
HIPAA compliant manner. 


F. Term and Termination 


1. Term. This Agreement shall be effective as of the date set forth at the beginning of this Agreement and shall 
terminate when Business Associate or its Subcontractors or any of their employees or agents destroy or return 
all of the PHI to Covered Entity, or if it is infeasible to return or destroy PHI, protections are extended by the 
applicable entity to such information, in accordance with the termination provisions in this Section. 


2. Termination for Cause. Upon Covered Entity’s knowledge of a material breach by Business Associate, Covered 
Entity has the right to: 


(a) provide an opportunity for Business Associate to cure the breach or end the violation, and terminate this 
Agreement and the service agreement(s) between the parties if Business Associate does not cure the breach or 
end the violation within the time specified by Covered Entity; 
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(b) immediately terminate this Agreement and the service agreement(s) between the parties if Business 
Associate has breached a material term of this Agreement and cure is not possible; or 


(c) if neither termination nor cure are feasible, report the violation to the Secretary. 3. Effect of Termination. 


(a) Except as provided in paragraph (b) of this Section, upon termination of this Agreement for any reason, 
Business Associate or its Subcontractors or any of their employees or agents shall return or destroy all PHI 
received from Covered Entity, or created, maintained or received by Business Associate or its Subcontractors or 
any of their employees or agents on behalf of Covered Entity, that the Business Associate or its Subcontractors 
or any of their employees or agents still maintains in any form and shall retain no copies of the PHI. 


(b) In the event that Business Associate or its Subcontractors or any of their employees or agents determines 
that returning or destroying the PHI is infeasible, Business Associate shall provide to Covered Entity written 
notification of the conditions that make return or destruction infeasible. Upon determining that return or 
destruction of PHI is infeasible, Business Associate or its Subcontractors or any of their employees or agents 
shall extend the protections of this Agreement and the Privacy and Security Rules to such PHI and limit further 
uses and disclosures of such PHI to those purposes that make the return or destruction infeasible, for so long 
as Business Associate or its Subcontractors or any of their employees or agents maintain such PHI. 


G. Miscellaneous 


1. Survival. The respective rights and obligations of Business Associate under the Sections of this Agreement 
entitled “Breach Notification” and “Effect of Termination” shall survive the expiration or termination of this 
Agreement. The respective rights and obligations of Covered Entity under Section E of this Agreement shall 
survive the expiration or termination of this Agreement. 


2. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to comply with the 
Privacy and Security Rules. 


3. No Third Party Beneficiaries. This Agreement shall not confer any benefit or rights upon any person other 
than the parties hereto, and no third party shall be entitled to enforce any obligation, responsibility, or claim of 
either party to this Agreement, unless expressly provided otherwise in this Agreement or by law. 


4. Choice of Law. The laws of the State of California shall govern this Agreement. 


5. Binding Nature and Assignment. This Agreement and the rights and obligations of a party hereto may be 
assigned only upon the prior written approval of the other party. The rights and obligations of the parties will 
inure to the benefit of, will be binding upon, and will be enforceable by the parties and their lawful successors, 
authorized assigns, and representatives. 


6. Notices. Any notices required or permitted under this Agreement shall be deemed effective (a) on the day 
when personally delivered to a party, or (b) if sent by registered or certified mail, return receipt requested, on 


the third (3°) business day after the day on which mailed, postage prepaid, to such party at the address listed 
at the beginning of this Agreement. Either party may only change its address for notices under this Section by a 
written notice to the other party given in accordance with this Section. 


7. Waiver. No waiver or discharge of obligations arising under this Agreement shall be valid unless in writing 
and executed by the party against whom such waiver or discharge is sought to be enforced. The waiver by 
either party to this Agreement of a breach of any provisions of this Agreement shall not operate or be 
construed as a waiver of any subsequent breach of the same or any other provision of this Agreement. 
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8. Change in Law; Amendments. 


(a) A reference in this Agreement to a provision of HIPAA, the HITECH Act or the Final Regulations means such 
provision as in effect or as amended and all formal guidance issued thereunder. 


(b) No amendment or modification of this Agreement will be effective except by a written amendment executed 
by the party against whom such amendment or modification is sought to be enforced. 


(c) The parties acknowledge that it may be necessary to amend this Agreement from time to time as required by 
the provisions of the Privacy and Security Rules, or other applicable law, to ensure that this Agreement is 
consistent with all such laws and regulations. The parties agree to take such action to amend this Agreement 
from time to time as is necessary for Covered Entity and Business Associate to comply with the requirements of 
the Privacy and Security Rules and other applicable laws. This Agreement may be terminated by either party 
upon thirty (30) days’ prior written notice to the other party, or upon such lesser notice as required by 
applicable law, if the parties fail to reach written agreement on modifications to this Agreement needed to 
comply with the provisions of applicable law. 


9. Counterparts. This Agreement may be executed in one or more counterparts, all of which shall be considered 
one and the same agreement. 


In witness whereof, the parties have executed this Agreement as of the day and date set forth above. 


Covered Business 

Entity: Associate: Sync.com Inc. 
By: By: 

Title: Title: 


*Your typed signature and submission of the e-mailed document constitutes a legal and binding signature to the BAA with 
Sync.com, Inc.. 


Updated March 13, 2014 


